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Abstract 

The enforcement of access control policies using cryptography has received considerable 
attention in recent years and the security of such enforcement schemes is increasingly well 
understood. Recent work in the area has considered the efficient enforcement of temporal and 
geo-spatial access control policies, and asymptotic results for the time and space complexity 
[/J ' of efficient enforcement schemes have been obtained. However, for practical purposes, it is 

O . useful to have explicit bounds for the complexity of enforcement schemes. 

In this paper, we consider interval-based access control policies, of which temporal and geo- 
*vj i spatial access control policies are special cases. We define enforcement schemes for interval- 

^ . based access control policies for which it is possible, in almost all cases, to obtain exact values 

^f^ ' for the schemes' complexity, thereby subsuming a substantial body of work in the literature. 

^\ , Moreover, our enforcement schemes are more practical than existing schemes, in the sense 

0^ ' that they operate in the same way as standard cryptographic enforcement schemes, unlike 

^T ' other efficient schemes in the literature. The main difference between our approach and 

(/-\ , earlier work is that we develop techniques that are specific to the cryptographic enforcement 

f*^ ' of interval-based access control policies, rather than applying generic techniques that give rise 

f^ I to complex constructions and asymptotic bounds. 

1 Introduction 

X 

?H ' In some situations, we may wish to use cryptographic techniques to enforce some form of access 

control. Such an approach is useful when data objects have the following characteristics: read 
often, by many users; written once, or rarely, by the owner of the data; and transmitted over un- 



C^ 



protected networks. Fu, Kamara, and Kohno (2006) identify content distribution networks, such 



as Akami and Bit Torrent, as applications where some kind of cryptographic access control is par- 
ticularly suitable. In such circumstances, protected data (objects) are encrypted and authorized 
users are given the appropriate cryptographic keys. When cryptographic enforcement is used, the 
problem we must address is the efficient and accurate distribution of encryption keys to authorized 
users. 

In recent years, there has been a considerable amount of interest in key encrypting or key 
assignment schemes. In such schemes, a user is given a secret value - typically a single key - 
which enables the user to derive some collection of encryption keys which decrypt the objects for 
which she is authorized. Key derivation is performed using the secret value and some information 
made publicly available by the scheme administrator. The two objectives when designing such 
a scheme are to minimize the amount of public information and the time required to derive a 
key. Unsurprisingly, it is not possible to realize both objectives simultaneously, so trade-offs have 



been sought. Crampton, Martin, and Wild (2006) provide a survey of, and taxonomy for, key 



assignment schemes, and the various factors that affect the parameters described above. 

At the same time, we have seen the development of access control models in which 
time plays an important role in deciding whether access requests are authorized or 



not ( [Bertino, Bonatti, and Ferrari 20()T| ). One particular application of such "temporal ac- 
cess control" systems is the protection of data that is made available periodically as 
(part of) a subscription-based service ( [Bertino, Carminati, and Ferrari 2002p . Prior to 2006, 
a number of schemes for enforcing temporal access control policies using cryptographic 
mechanisms appeared in the literature, many of which have been shown to be insecure 
(see (Atallah, Blanton, and Frikken 2007bt for a summary of this work) . 



Atallah, Blanton, and Frikken (2007b) Ateniese, De Santis, Ferrara, and Masucci (2006) and 



De Santis, Ferrara, and Masucci (2007b) described the first key assignment schemes for temporal 



access control with provable security properties. This work focused on two particular aspects: 

• the development of schemes that provided key indistinguishability, and 

• the reduction of the storage required for public information and the number of operations 
required for key derivation. 

One shortcoming of their work is that the methods used to tackle the second of these issues do 
not consider the actual requirements of the underlying access control policy. Instead, generic 
techniques to reduce the diameter of a directed graph are applied. This has two consequences: 
optimizations that are tailored to the particular characteristics of the problem are not considered 
and only the asymptotic behavior of the constructions is provided. Given that the number of time 
intervals m is likely to be rather small in many practical applications, it is not clear that this 
kind of approach is the most appropriate. Moreover, the absence of explicit bounds means that 
for small m it is not at all obvious which scheme is optimal. In short, existing schemes may be 
efficient (for large values of m) but it is questionable whether they are practical. 



Atallah, Blanton, and Frikken (2007a) have also studied the enforcement of "geo-spatial" ac- 
cess control policies. In this context, users are authorized to access data that belongs to particular 
locations in a rectangular grid. Atallah et al. apply rather similar techniques (as those used for 
temporal access control policies) to construct asymptotic bounds on the amount of space and the 
number of derivation steps required. 

In this paper, we consider optimizations for both temporal and geo-spatial access control 
policies that arise from a rather straightforward observation about the particular problem at 
hand. This enables us to present concrete schemes with precise bounds on the amount of storage 
and the number of derivation steps required. 

The space and time complexity of cryptographic enforcement schemes can be measured 
in "edges" and "hops" respectively ( [Crampton, Martin, and Wild 2066| . For the enforcement 
of a temporal access control policy with m time points, for example, we require m{m — 1) 
edges and [logj m] hopqj, whereas Atallah, Blanton, and Frikken (2007b) require O (rn^) edges 



and O (log* m) hops and |De Santis, Ferrara, and Masucci (2008) require O {rn? log m) edges and 
O (log* to) hopso However, substantial multiplicative constants and lower-order terms may be 
hidden by the O notation when it comes to the number of edges and the number of hops required 
for key derivationo 

For values of to, that are likely to be used in practice, these terms will be 
of considerable importance. The actual number of hops required by the scheme of 
Atallah, Blanton, and Frikken (2007b)[ for example, is 2 log* m + 4, which, for many values of 



TO of practical interest, will be greater than [log to] . Moreover, the edge sets that are used in ex- 
isting efficient constructions require bespoke algorithms for key derivation and modifications to the 
basic operation of a key assignment scheme ( [Atallah, Blanton, and Frikken 2007ap . In contrast, 
key derivation for our constructions remains very simple. 



^Henceforth, all logarithms are base 2, unless explicitly stated otherwise. 

^The function log* : N — >■ N is the iterated log function, where log* m = if m ^ 1 and log* m = 1 + log* (log m) 
for m > 1. The iterated log function grows very slowly: log* rra ^ 4 for all m ^ 2^'' and log* m ^ 5 for all 
m ^ 2^^^^^, for example. 

The schemes in the literature do not consider the multiplicative constants or lower-order terms. It is, perhaps, 
an indication of the complexity of the constructions in the literature that we have not, despite considerable effort, 
been able to determine the multiplicative constants in the expressions given for the number of edges. 



Finally, we demonstrate that temporal and geo-spatial access control policies (at least as they 
are understood in the context of key assignment schemes) are special cases of a more general type 
of policy, which we call an interval-based access control policy. Such policies are parameterized by 
an integer fc, where temporal and geo-spatial policies correspond to the cases k — \ and fc = 2, 
respectively. Perhaps the most important contribution of this paper is to describe how to construct 
a set of edges for an arbitrary value of k and provide tight bounds on the number of edges and 
key derivation hops required. 

In summary, the main contributions of this paper are: 

• to generalize the problem of enforcement of temporal and geo-spatial access control policies 
to the enforcement of interval-based access control policies; 

• to provide tight bounds on the complexity of enforcing temporal, geo-spatial and interval- 
based access control policies using key assignment schemes; 

• to provide simple, concrete constructions for such schemes. 

In the next section, we describe some relevant background material, define what we mean by 
an interval-based access control policy, and introduce the problem of enforcing an interval-based 
access control policy using cryptographic mechanisms. In Section [3l we consider temporal access 
control policies. The main contribution of this section is to state and prove a rather general result 
and explore some special cases of this result. In this section we also consider constructions in 
which the user may have more than one key. In Section 21 we consider the related problem of 
cryptographic enforcement of geo-spatial access control policies. We describe relevant related work 
in both Section |3] and ID In Section [SJ we derive results for general interval-based access control 
policies. We conclude the paper with a summary of our contributions and some suggestions for 
future work. 

2 Key Assignment Schemes 

Given a partially ordered set of security labels {L, ^), an information flow policy requires that 
each user u and protected object o be assigned a security label and that information flows between 
objects and users are consistent with the ordering ^: specifically, u is authorized to read a provided 
the security label of u is greater than or equal to that of o ()Bell and LaPadula 1976p . More 
formally, let A : C/ U O — > i be a labeling function that associates each entity with a security label. 
Then u is authorized to access o if and only if \{u) ^ A(o). 

A key assignment scheme may be used to enforce an information flow policy. In such a scheme, 
it is assumed that every node in L is associated with a symmetric cryptographic key. For a given 
node a; e L, all objects associated with x are encrypted with the appropriate key, and all users 
associated with x are given, or can derive, the key for node x and for each node less than or equal 
to X. 

More formally, a key assignment scheme comprises a set of keys {n{x) : a; g L} and a set of 
public information. Each object with security label x is encrypted with k(x). A user u with the 
key k(A(u)) must be able to derive n{y) for any y ^ A(m), using k(A(m)) and public information. 
Hence, a user can decrypt any object with security label A(y), where y ^ A(u). The first such 



scheme was described by Akl and Taylor (1983) The parameters that characterize the behavior 



of a key assignment scheme are: 

• the number of keys that a user requires; 

• the amount of public information that is required p 



• 



the amount of time taken to derive a key (equivalently, the number of operations required 
to perform key derivation). 



The public information always includes a data structure encoding (L, ^). 



We could, trivially, give a user the key associated with each label for which she is authorized, 
but this type of approach is rarely considered appropriate. Most of the literature on key assignment 
schemes assumes that each user has a single secret value and the keys for which she is authorized 
are derived from this secret value. In general, the more public information employed by the scheme, 
the smaller the number of key derivation steps required in the worst case. 

2.1 Correctness and security 

A key assignment scheme that enforces an information flow policy for (L,^) must be correct and 
it must be secure. Informally, we say a key assignment scheme is 

• correct if each user can derive the keys for which she is authorized; 

• secure if no set of users can derive a key for which none of them is authorized. 

Recently, the notions of key recovery and key indistinguishability have been 
introduced to capture in more formal terms what it means for a key as- 
signment scheme to be secure ( [Atallah, Blanton, Fazio, and Frikken 20091 
[Ateniese, De Santis, Ferrara, and Masucci 2006 ). Informally, to obtain a scheme with the 



key recovery property, each node x G F is associated with a secret value k{x), and, for each 
edge {x,y) £ E, we publish Enc^(^^^{K{yj), where EncK.{M) denotes the encryption of message 
M using key k. Then any user in possession of k{x) can derive K,{y) in one step, and for any z 
on a path from x containing e edges, k{z) can be (iteratively) derived in e steps. Such a scheme 
can be extended to one with the property of key indistinguishability by associating a secret value 
a{x) with each node x, making k{x) a function of a{x) and using a{x) to derive a{y). 

For the purposes of this paper, it is sufficient to note that given a directed, 
acyclic graph G = {V,E), there exists a key assignment scheme that has the prop- 
erty of key indistinguishability, the amount of storage required is proportional to |-B| 
(the cardinality of E), and the number of derivation steps required is equal to 
the diameter of G (the length of the longest path in G). The interested reader 



is referred to the literature for further details (Atallah, Blanton, Fazio, and Frikken 2009 
[Ateniese, De Santis, Ferrara, and Masucci 2006D . 

2.2 Derivation-storage trade-offs 

A partially ordered set {L, ^) can be represented by a directed, acyclic graph {V, E), where V — L. 
There are two obvious choices for the edge set E: one is the full partial order relation ^; the second 
is to omit all transitive and reflexive edges from ^ to obtain the covering relation, denoted <. 
The graph (L, <) is called the Hasse diagram of L, and is the standard representation of L as a 
directed graph (?). 

It can be seen that a key assignment scheme for a directed graph can be used specifically to 
enforce an information flow policy. We may use the graph (L, ^), in which case key derivation 
can always be performed in one step. In contrast, key derivation may require a number of steps 
when we use the graph (L, <). The trade-off here is that the second graph contains fewer edges 
and hence the number of items of public information that are required to support key derivation 
is smaller. The study of these kinds of trade-offs will be the focus of this paper. 

2.3 Interval-based access control policies 

Let O be a set of protected objects, let C/ be a set of users, and let Ai, . . . ,Ak be finite, totally 
ordered sets of cardinality ni, . . . ,nk, respectively. We write A to denote Ili^i ^i = ^i ^ • • • x ^4^. 
We say [xi^yi] C At, where 1 ^ xi ^ y-i ^ n^, is an interval in Ai. We say ni=i[^i!yi] = 
[xi,yi] X ■ ■ ■ X [xfe, y^.] C ^ is a hyperrectangle. We write HRec(y^) to denote the set of hyperrect- 
angles in A. 



We assume that each object o G O is associated with a unique attribute tuple (ai, . . . , Ofc) G A, 
and each user u G U is authorized for some hyperrectangle Ilfcii^iiyj] ^ HRec(^). Then we 
say that a user u associated with Jli^il^iiyj] i^ authorized to read an object o associated with 
tuple (ai, . . . , flfe) G A a and only if a^ £ [xi, yi] for all i. Such a policy may be enforced using 
cryptographic methods: 

• each attribute tuple a = (ai, . . . ,ak) G Ais associated with a cryptographic key, which we 
denote by K{a); 

• all objects o that are associated with a are encrypted with K(a); 

• u should be able to derive ^(a) whenever a^ € [xi, yi] for all i. 

The problem that we consider in the remainder of this paper is the construction of a set of 
edges E for the set of nodes HRec(^) such that: 

• for all ni=i[^i)2/i] ^^'^ ^-ll (0,1 J • • • , flfc), there exists a path from Jli^ii^^ij?/!] ^o (ai, . . . ,0^) 
if and only if ai G [xi , yi] . 

• l-E] is small; 

• the diameter of the graph {\-\Rec{A),E) is small. 

The first criterion requires that the graph implements the desired access control policy. We say 
a set of edges E is policy- enforcing, or simply enforcing, if it satisfies this criterion. The second 
means that we wish to keep the public storage requirements small, while the final criterion requires 
that the complexity of worst-case key derivation time be low. 

In the remainder of this section we review two special cases of interval-based access control 
that have been widely studied in the literature. To simplify our exposition and comparison with 
related work, we will consider these special cases in detail in Sections |3] and |31 before studying the 
general case in Section [5] 

2.3.1 Temporal access control 

When fc = 1, we have A = A\. It is customary to interpret Ax as a finite set of n consecutive 
time points (see ( [Atallah, Blanton, and Frikken 2007b[ |De Santis, Ferrara, and Masucci 2008[ ) , for 
example). Each object is associated with a unique time point, and each user is associated with a 
set of consecutive time points (an interval). Without loss of generality, we assume that the time 
points are in one-to-one correspondence with the integers 1, . . . ,n. We write [x,y] to denote the 
set {t : X ^ t ^ y}. Then each object is associated with some integer x G [l,n] and each user is 
associated with some interval [x,y] C [l,n]. A user associated with interval [x,y] should be able 
to derive K{t) for all t G [x, y]. 

Henceforth, we write T„ to denote the set of intervals in [l,n]: that is, 

Tn = {[x,y] -.1 i^x i^y i^n}. 

We denote the set of all intervals by T„ because the partially ordered set (T„,C) has a natural 
representation as a triangular grid, as illustrated in Figure [T] We may refer to T„ as an n-triangle. 
A node of the form [x,x] G Tn is equivalent to a point x G [l,f^] and will be called a leaf node. 
The set of leaf nodes corresponds to the totally ordered set of time points 1, . . . , n. 

2.3.2 Geo-spatial access control 

When fc = 2, we have A = Ai x A2, which represents a finite rectangular grid of 
points. In this case each object is associated with a unique point in the grid, and each 
user is associated with a set of points that correspond to a sub-rectangle of the rectangu- 



lar grid ([Atallah, Blanton, and Frikken 2007a|). Without loss of generality, we assume Ai 



ri,4] 




[4,4] 



Figure 1: The Hasse diagram of {T4, C) 

{l,...,r«} and A2 — {1, . . . ,n}. Then each object is associated with some point {x,y) and 
each user is associated with some rectangle [cci, j/i] x [0:2, 2/2] = {(^i, ^2) : ii G [a^i, 2/i], ^2 G [2^2, 2/2]}- 
We write Tm,n (as an abbreviation of the more accurate T™ x r„) to denote the set of rectangles 
defined by a rectangular m x n grid of points: that is 



1 rt 



dof 



{[xi,yi] X [x2,2/2] : 1 ^ xi ^ yi ^ TO, 1 ^ X2 < 2/2 ^ ri} . 



Nodes of the form [cc, x] x [y, y] - which may also be interpreted as the point (x, y) ~ will be called 
leaf nodes. The set of leaf nodes corresponds to the set of points in the rectangular m x n grid. 

It is rather difficult to represent T^ „ in two dimensions for all but the smallest values of to 
and n. Two different visualizations of T2^2 are shown in Figure[21 the first simply illustrates it as a 
partially ordered set of subsets ordered by subset inclusion in which rectangles are represented by 
filled circles; the second illustrates it by building the rectangles on top of a 2 x 2 grid (in a manner 
analogous to the representation of Tm used in Figure [T|) . In the second figure, nodes of the same 
color have the same area (as rectangles): all rectangles of area 2 are filled in gray, whereas all 
rectangles of area 1 are filled white. Although the first visualization is perhaps easier to interpret, 
it is the second visualization that we will have in mind when developing our constructions in 
Section m 
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Figure 2: Two representations of T2 x T2 



3 Temporal Access Control 

In this section we first describe two rather simple schemes that will be used as "building blocks" 
for more complex schemes. Then, in Section [3. 1[ we describe a general construction in which users 



have a single key, and derive a number of concrete constructions as special cases. In particular, 
we describe a construction for T^ in which the resulting graph has O (m? log log m) edges and 
diameter loglog?7i. In Section 13.21 we describe a construction in which users may have two keys. 

Before proceeding any further, we note the existence of a lower bound on the cardinality of 
an enforcing set of edges and the existence of an enforcing set of edges that yields a graph of 
diameter 1. 

Proposition 1 Let E be an enforcing set of edges for T„i. Then \E\ ^ m{m — 1). 

Proof Suppose that E is an enforcing set of edges such that \E\ < m{m — 1). Then at least one 
non-leaf node [x, y], where y > x, has out-degree less than 2. This implies one of two things: 

• either there exists z S [x,y] such that [z,z] is not reachable from [a:,?;]; 

• or there exists an edge from [x,y] to [2^',2/'] such that [x,y] ^ \x' ^y'\ and all z e [a;, y] are 
reachable from \x' , y'\ . 

In the first case, the edge set does not satisfy the requirement that [z,z] is reachable from \x,y\ if 
z € [x, y]. In the second case, there are two possibilities: 

• either [x,y] C [a;',y'], in which case there exists z £ [x',y'] such that z ^ [x,y] and z is 
reachable from [x, y], contradicting the requirement that z is reachable from [x,y] only if 
z e [x,y]; or 

• [x,y] (t [x',y'], so there exists z € [x,y] such that z ^ [x\y'] and [z,z] is reachable from 
[a;',?/'], which contradicts the requirement that z should be reachable only ii z E [x',y']. 

The result follows. ■ 

Proposition 2 (Crampton (2009) |) There exists an enforcing set of edges E such that \E\ = 
^m{m — l)(m -|- 4) and the diameter of {T„i, E) is 1. 



Proposition 3 (Crampton (2009)) There exists an enforcing set of edges E such that \E\ 



m{m — 1) and the diameter of {Tm, E) is \logm~\. 

To establish the above result, we now describe a construction, which we call binary decom- 
position, that generates a set of edges with the stated properties. Binary decomposition is a 
generalization of a construction we presented in an earlier paper ( [Crampton 2009] Scheme 2) . Bi- 
nary decomposition is optimal, in the sense that any set of enforcing edges must have cardinality 
at least m{m — 1) (by Proposition [1]) . We first introduce some additional notation: we write £)„ 
to denote an n-diamond, which is formed by joining two copies of T„ along the long diagonal; and 
we write Rm.n to denote a rectangular grid of nodes of side lengths m and n. 

Construction 1 (Binary decomposition) Let I = \ml2\ and r — [to/2] . Now Tm comprises: 

• a copy ofTi, containing the minimal elements [1,1],..., [(^,P\; 

• a copy of Tj., containing the minimal elements [^+1,^+1],..., [m, m]; 

• a copy of rectangle Re.r, containing the remaining nodes in Tm. 

This view ofTj is depicted in Figure\^a) . Notice that every interval represented by a node in Rgj. 
contains i and £ + 1. 

The first step in the construction of E, then, is to include an edge from every node in Ri ^ to 
one node in Ti and one node in T^. In particular, for node [x,y] such that x ^ i < y, we add 
edges from [x,y] to [x,£] and from [x,y] to [£+l,y]. 

We now recursively apply this construction to T{ and Tr, terminating when £,r ^ 1. The 
construction of the edge set for Ti is illustrated in Figure\^ 
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(a) Decomposing T7 into T3, T4 and -^3^4 



(b) Adding edges to -R3^4 





(c) Decomposing T3 and T4 (d) Adding the remaining edges 

Figtire 3: The binary decomposition of T-j 



3.1 Single-key constructions 



Crampton (2009, §5.2) described a construction that generates an enforcing set of edges E of 
cardinahty ^m{m — l){^/rn + 4) such that the diameter of (Tm,E) is 2. The construction was 
based on a factorization of m into two integers. We now prove a more general result, in which 
we express m as the product of d integers and construct a set of enforcing edges E such that the 
diameter of {Tm, E) is d. The result has a number of interesting corollaries, which we also explore 
in this section. 

Theorem 4 Let m = Y[i=i^i' where at is an integer and 2 ^ at ^ o-i+i for all i. Then there 
exists an enforcing set of edges E such that 



II m^ ^ (aj-l)(Q, + 4) 



(1) 



where tt,; = 07=i %' '^'^^ ^^^ diameter of {T„nE) is d. 

The result is proved by induction on d and by partitioning r,„ into "supernodes" , which are 
copies of smaller triangles and diamonds. Informally, the inductive step works by splitting Tm 
into a triangle Ta of supernodes, where m = ab, each non-leaf supernode is a copy of D;, and each 
leaf supernode is a copy of T^. The application of the construction to ri2, where a — i and h = A, 
is illustrated in Figure S) 

Proof of Theorem |4] First consider the case d=\. By Proposition [51 there exists an edge set 
with cardinality ^ni{m — l){ni + 4) and the diameter of the graph is 1 = d. Note that for d = 1, 
we have ai = m and tti = ?7i in ([1]), so the result holds for d = 1. 



Now let us assume the result holds for all d < Z? and consider 



n 



D 



For convenience. 



we write b — Jli=2 '^i (that is, m = aib). We first note that every node in Tm can be written in 
the form [x + ab, y + fib], where 1 ^ x,y ^ b and ^ a < /3 < ai. 



• li a — P, then [x + ab, y + /Sb] belongs to a leaf triangle supernode which we denote by TJ^ , 
^ a < fli. 

• If a < /3, then [x + ab, y + Ph] belongs to a non-leaf diamond supernode, which we denote 
hy D^^'^\ i^ a < p < ai. 

Note also that [x + ab, y + f3b], where a < /3, is the (disjoint) union of the intervals 

[x + ab,b + ab], [1 + (a + 1)6, b + {a + 1)6], ...,[l + {/3- 1)6, 6 + (/? - 1)6], [1 + l3b,y + l3b], 

which belong, respectively, to T^"\t^"^^\ ..., tI^'^\tI,'^\ 

Now consider a node \x,y] £ D^ '°^ . (In other words, [x,y] belongs to the maximal supern- 
ode in Tq^.) Then for each such [x,y], we define 

Ca:,y =^ {[x + ab,y + pb]:0!^a< P < aj . 

Then each diamond supernode contains exactly one element of Cx.y and the elements of Cx.y 
(ordered by subset inclusion) form a copy of Ta^-i. Since [x + ab, y + /36] is the union of intervals 
in TJj , . . . , Tf^ , we can connect the nodes in Cx,y directly to the appropriate leaf nodes using a 
1-hop construction for T^j, which requires ^01(01 — l)(ai -I- 4) edges. Moreover, C^.y = Cx\y' if 



and only ii x — x' and y = y'. Hence, there are 6^ — nP' /a\ different sets C^^y (since there are 6 



6 

,v 

choices for each of x and y). Hence, we create a total of ^(oi — l)(ai + 4) edges, which enable 
us to jump directly from any node in a diamond supernode to some node in a leaf supernode. We 
denote this set of edges by i?outor- 

By the inductive hypothesis, there exists an enforcing set of edges i^inncr for T^ , ^ a < oi. 

Moreover, since m/ai = b = Y[i=2'^i ^^"^ "^t ^^ ^ copy of T^i^^^, we have by the inductive 
hypothesis 

, _ m^ ^ (g, -l)(a, +4) 

-thinner c 1 / j 

6aJ ^ a2 . . . fli 

In total, we require |i?outGr| + ai l-E-innorl edges (since there are a\ copies of Tt). Hence the number 
of edges is given by 

w? m^ -^-^ (a, - l)(a, + 4) m^ ,,--^ (a,, - l)(a, + 4) 
-— (ai - 1) ai + 4 + ^— >^ = ~^1^ ' 

as required. 

Moreover, it is clear that the resulting set of edges E is enforcing if i^inncr is enforcing (which 
it is, by the inductive hypothesis). Finally, the diameter of (T^ , i^inncr) is I?— 1 by the inductive 
hypothesis. Hence, the diameter of {Tm,E) is 1 -I- (_D — 1) = Z?, as required. ■ 

Example 5 The partial construction of a two-hop scheme for T12 is illustrated in Figurel^ We 
divide T12 into copies of D4 and T4, yielding a copy of T^, in which the non-leaf supernodes are 
diamonds and leaf supernodes are triangles (as depicted in Figure^a)). 

A one-hop construction for T3 requires seven edges, and must be duplicated for every node 
in the root supernode (and there are 4^ = 16 such nodes). Hence we require 7 • 16 = 112 edges 
to connect nodes in non-leaf supernodes to nodes in leaf supernodes. (A subset of these edges is 
depicted in Figurel^b).) Having done this, we can now get from any node that is contained in a 
copy of -D4 to a node in T4 in one hop. 

It remains, therefore, to construct an edge set for each T4 supernode such that we can get from 
any non-leaf node to a leaf node in one hop. We require 16 edges for each of the three copies of 
Tj^ (a total of 4:8 edges). The construction therefore generates a total of 160 edges. 



^^^ 




(a) (b) 

Figure 4: Creating a 2-hop scheme for T12 using 1-hop schemes for T^ and T4 

In the statement of Theorem |4l note that a^ ^ 2, so 

d 
TO = 1 I Oi ^ 2 and d ^ logm. 



Note also that the ith term in the summation 

(a, -l)(a, + 4) 



1 / 4 
a, + 3 



is minimized when ai — 2. Finally, note that the difference between successive terms in the 

summation is given by 

(«»+!- l)(a»+i +4) , ,, , 
[ai - l)[ai + 4), 

which is approximately equal to zero when a^+i w a^. These observations lead to two corollaries of 
Theorem m The first corollary provides a concise characterization of the number of edges required 
for a d-hop solution when m = a'^ for some integer a (which itself includes binary decomposition 
as a special case) . The second of these results provides an explicit bound for the number of edges 
required in a scheme with loglogTTi steps. 

Corollary 6 Ifm = a"^, then there exists an enforcing edge set E such that \E\ ~ ^m{m~l){a+4:) 
and the diameter of (T,„, E) is d — log^j to.. In particular, if m — 2'^, then there exists an edge set 
of cardinality m{m — 1) and a graph of diameter [logTn] . 

Proof By Theorem |4l we have 



\E\ 



6 



■(a-l)(a + 4) 



1 

a* 






— a-1 a + 4 

6 V a — 1 



m , , /to, — 1 

D \ TO, 

= —m(m — l)(a + 4). 
6 



1--T 



And for a = 2, we have \E\ — m{m — 1). 
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Corollary 7 Let m = 2"^ for some integer d ^ 2. Then there exists an enforcing edge set E such 
that 

\E\ < m? [l + - log log m 
and the diameter of (Tm,E) is loglog?7i. 



r,d-l 



Proof We write m = 2?2? 2^" 2^' ...2? and apply Theorem IH thereby obtammg a d-hop 
scheme. In particular, we have a\ — 2? ^ a.i — 2? , i 5^ 2, and tt^ = 2^ , i ^ 1. Hence, 

1^1 = 







<-^|6 + (d-l) + 

2 / 1 

— m 1 H — log log m 
\ 6 

as required. I 

Remark 8 It is worth noting that log log m ^ 6 for all m ^ 2"^ — 2^^ . In other words, for all 
practical values of m, there exists an enforcing set of edges whose cardinality is hounded by 2m^ 
and for which the number of derivation hops is bounded by log log m. 

3.2 Multi-key constructions 

In this section, we consider the trade-ofF that is possible when we assume that users may have 
two secret keys (rather than one) . In Appendix [B] we consider the additional trade-offs that are 
possible when the user may have more than two keys. The basic idea is to define a set of special 
nodes T^ ^ ^™ ^^^ ^ graph {T^^,E) such that: 

• [z, z] e T^ for all z; 

• any interval [x,y\ G T,,,, is the union of no more than two intervals in T!^; and 

• for every [cc, y] G T^ and every z € [x, y\, there exists a path in the graph (T^, E) from [x, y\ 

to [z, z\. 

Then if a user is assigned to interval [x,?/], we know that [x,y\ is the union of no more than two 
intervals in T^ and for any z € [x, y] there is a path to [z, z] in (T^, E). In other words, providing 
the user with the keys for the two appropriate intervals enables the user to derive all keys for 
which she is authorized. 

We first observe that any interval [z, y] such that x ^ \m/2~\ and y > \m/2~\ can be written as 
[x, \rn/2'\ U [[m/2] +1, y]. Recall that the binary decomposition construction splits T,„ in precisely 
this sort of way. These observations suggest the following recursive construction. For simplicity, 
we assume that ?n is a power of two. 

Construction 2 (2-key binary decomposition) We first apply Construction Q] to T„i to ob- 
tain a set of edges E. We then identify the set of special nodes. 
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(1) If m — 1, then mark the node as a special node. 

(2) If m > 1, then mark every node of the form 

(a) [x, m/2\, for x < m/2, as a special node; 

(h) [ni/2 + 1, y]; for y > m/2 + 1 as a special node. 

(3) Split Tyn into 0^/2? T^% and T^% and recursively apply the node marking to T^^% and 

rpTlght 

m/2 ■ 

Then T'^ is defined to be the set of special nodes and we define the edge set to he E' = E f] 
{{x,y) ■.x,ye T;J. 

In other words, {T'^,E') is the sub-graph of the binary decomposition of Tm induced by the 
set of special nodes T^. The result of applying 2-key binary decomposition to Tie is shown in 
Figure [SJ in which the special nodes are represented by filled circles. (The marking of leaf nodes 
and identification of edges are conflated in the final part of the figure.) 

Then a key assignment scheme in which users may have two keys is implemented by construct- 
ing a key assignment scheme for the key derivation graph produced by Construction [2] A user 
associated with interval [3, 14], for example, would then be given the keys for intervals [3,8] and 
[9,14]. 




Figure 5: Applying Construction [2] to Tie 

Proposition 9 Let m — 2'^ for some integer d. Then there exists a set of enforcing edges E such 
that \E\ < 2mlogm, {Tm^E) comprises two disconnected components, and the diameter of each 
component is \ogm/2. 

Proof Clearly Construction [5] terminates after log to rounds. Moreover, s(to,), the number 
of special nodes in T^, satisfies the recurrence s{m) < m + 2s{m/2), from which we deduce 
that s{m) < mlogm and, since the out-degree of each special node equals 2, we deduce that 
\E\ < 2mlog?7i. Clearly, the diameter of {Tra,E) equals logm — 1 = log m/2. ■ 

We also note that we can use a similar method to create a one- hop two-key scheme with O (n^) 
edges. In particular, we have the following result. 
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Proposition 10 There exists a set of enforcing edges E such that \E\ < ^m,(m — 1 + log?7i), 
(Tm,E) comprises two disconnected components, and the diameter of each component is 1. 

Proof Consider the set of edges E of cardinality ^m{m — l)(m + 4) tliat defines a 1-hop graph 
for Tjn and then take the subgraph of {T^^E) induced by the set of special nodes. From the 
top- left corner of Figure 5, it is evident that the number of edges in this subgraph e(m) satisfies 
the following inequality: 

e(2m) < 2t,n + 2e(m), 
where tm denotes the mth triangle number. Hence, we have 

e{2m) < —m{m + 1) + 2e{m), 
from which we may prove the required result using a straightforward induction. ■ 

3.3 Related work 

A number of authors have used 'binary tree encryption" , which can be used to en- 



force temporal access control policies cryptographically (see (Backes, Cachin, and Oprea 2006 



Canetti, Halevi, and Katz 20071, for example). In such schemes, assuming n = 2™ for some integer 



m, the parent node is [l,n] and the two child nodes of node [x,y] are [x, ^-^] and [^^-|-l,y]. Then 
any interval [x,y\ S T„ is the disjoint union of no more than 2(logn— 1) intervals; [2, 15] € Tig, for 
example, is the union of the intervals [2,2], [3,4], [5,8], [9,12], [13,14] and [15,15]. In other words, 
we may enforce a temporal access control policy using binary tree encryption, by supplying each 
user with at most 2(logn— 1) keys and key derivation time requires no more than logn steps. The 
great advantage of such schemes is that the key of a child node can be derived directly from the 
key of the parent, since the key derivation graph is a tree. Hence, binary tree encryption schemes 
require no public information. 

The focus of our work, however, is on schemes ~ arguably, more practical schemes - in which 
users have a single key. Two groups of researchers have studied this form of cryptographic en- 
forcement of temporal access control in some detail. In this section, we discuss these two strands 
of research and our own work in this area. We then summarize and compare the respective results 
to our work. 



Atallah, Blanton, and Frikken (2007b) propose a number of schemes that reduce the number 
of edges and the maximum number of hops for T^ , using techniques previously developed for 
total orders ( [Atallah, Blanton, and Frikken 2006] ). Henceforth, we will use the term chain, 
rather than total order, and we will write C„ to denote the chain containing n elements. 



Atallah, Blanton, and Frikken (2007b) treat Tm as the direct product of two orthogonal 
sets of chains and apply short-cutting techniques for chains. To derive the key for interval 
[z^z] C [x,y\ given the key for [x,y\, for example, their method requires us to first derive 
the key for [z, y] using one chain (comprising intervals of the form [1, y], . . . , [x, y], . . . , [y, y]), 
and then to derive the key for [z,z\ using an orthogonal chain (comprising intervals of the 
form [z,m],...,[z,2/],...,[z,z]). 

Any set of enforcing edges E for chain Cm, such that \E\ = O {f{m)) and the diameter of 
the graph [Cm,E) is O {d{m)), can be used to construct a set of enforcing edges E' for T„j 
such that \E'\ is O {mf{m)) and the diameter of (T^, E') is O {d{m)). More specifically, if 
the diameter of {Cm,E) is d, then the diameter of {Tm,E') is 2d, and if \E\ — f{m), then 



De Santis, Ferrara, and Masucci (2008) propose a number of schemes that take a quite dif- 



ferent approach, using earlier work due to Thorup (1995) and Dushnik and Miller (1941) to 
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reduce the diameter of Tm, and to Alon and Schieber (1987) to reduce the number of edges 
(by increasing the number of keys) . 



Thorup (1995) showed that given a rooted, acychc, planar, directed graph G = {V, E), there 
exists a set Eg of "shortcut edges" such that \Es\ < \E\ and the diameter of {V, E U Es) is 

0{log\V\log*\V\). 

The second result they use is that given a poset of dimension 2 with Hasse diagram 
G = (y, E), there exists a set of shortcut edges Eg such that the graph {V, EUEg) has diam- 
eter0(log*|T/|) and I^J^I is O {d \V\ (3 log \V\)'^-^) ( |De Santis, Ferrara, and Masucci 2007a 
IDushnik and Miller 19411) . 



Alon and Schieber (1987)] |Yao (1982)[ and [Bodlaender, Tel, and Santoro (1994)] have all 



studied c-coverings, which are used to represent an interval as the union of no more than 



c smaller intervals. De Santis, Ferrara, and Masucci (2008) have considered the use of c- 



coverings in their work to create multi-key schemes in which each user requires no more 
than c keys. 

Both strands of research include enforcement schemes in which users may have multiple keys, as 
well as schemes in which users have precisely one key. De Santis et al. provide several different 
ways of constructing key assignment schemes for T„i, whereas Atallah et al. rely on schemes for 
chains to construct their key assignment schemes. The schemes of De Santis et al. provide greater 
flexibility in the choice of parameters, allowing, for example, a choice in the number of keys for a 
particular scheme. In contrast, the schemes of Atallah et al. use three keys, because of the data 
structures that are used to build their schemes. Moreover, the 3-key schemes of Atallah et al. 
are rather artificial, in the sense that enabling keys have to be introduced and more information 
needs to be stored both at the server side and the client side to enable key derivation to take 



place ( [Atallah, Blanton, and Frikken 2007a[ §5.3 and 5.4). 

We previously introduced a number of schemes ( [Crampton 2009[ ), including binary decompo- 
sition, which we generalize in this paper. The main distinguishing feature of our work is the focus 
on improved schemes that are directly relevant to the problem at hand, whereas prior work has 
simply applied existing short-cutting techniques, without considering the particular characteristics 
of the graph T™ and its application to temporal access control. Specifically, in our previous work 
and in this paper we exploit the fact that it is not necessary to be able to derive keys for non-leaf 
intervals, in contrast to the work of other researchers. 

As a consequence of our more direct approach, we are able to define schemes for which it 
possible to compute either exact values or tight upper bounds on storage and derivation costs, 
whereas related work only describes asymptotic behavior. For large values of to, such a description 
may be useful, but, for smaller (and arguably more relevant) values of to, our approach is more 
informative. Moreover, without knowing the multiplicative constants and lower-order terms hidden 
by the O notation, it is diflficult to ascertain which scheme in the literature is the best to use for 
a particular value of to. The relevant characteristics of comparable schemes in the literature and 
those introduced in this paper are summarized in Figure [51 

4 Geo-Spatial Access Control 

Atallah et al. have also applied their techniques to a graph in which the nodes correspond to 
rectangles of the form /i x I2, where /i G Tm and I2 & T„ ( [Atallah, Blanton, and Frikken 2007ap . 
Each object is associated with a point {x,y) (equivalently, a "unit" rectangle [a;, a;] x [y,y]), where 
X e [1, to] and y £ [1, n]. If a user is associated with node /i x I2 then the user should be able to 
derive the key for each point [x,x] x [y,y] £ Ii x I2 (where x £ Ii and y G 12). The set of points 
enclosed by a rectangle is defined by the endpoints of the two intervals. 

There are ^m{m + 1) and ^n{n -(- 1) such intervals in T^ and T„, respectively, so there are 
a total of jmn{m + l){n + 1) possible rectangles contained in T™ x T„ (and hence nodes in the 
graph). Again, it is important to note that the user is not required to be able to derive keys for 
all subsets of /i x I2, only those subsets of the form [x,x] x [y,y]. 
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(b) Multi-key constructions 

Figure 6: A comparison of existing work and our contributions 

Recall the binary decomposition technique for T„i (Construction [1]): for a given interval [x,y] 
such that X ^ ['7i/2j and y ^ [™/2j + 1, we connected [x,y\ to two intervals [x, [to/2J] and 
[[to,/2J + l,y]. We now demonstrate how this technique can be extended to Tm,n- Suppose, for 
illustrative purposes, that to = n = 16 and consider the rectangle [3,11] x [2,14] (as illustrated 
schematically in Figure [7l[a)). Then we can decompose this rectangle into four smaller rectangles 
in which each interval contains no more than 8 points: namely 

[3, 11] X [2, 14] = ([3, 8] X [2, 8]) U ([3, 8] x [9, 14]) U ([9, 11] x [2, 8]) U ([9, 11] x [9, 14]) 

We can repeat this decomposition for each of these four rectangles, so that each interval contains 
no more than 4 points. It is easy to see that the out-degree of each node in the resulting graph 
can be no greater than 4 and that the number of decompositions required (and hence the diameter 
of the resulting graph) is 4 = log 16. Hence, we can construct an enforcing set of edges E whose 
cardinality is bounded by 4 |T„^„| = n'^[n + 1)^ and for which the diameter of the graph (T„^„, £■) 
is [log n] . However, we can reduce the number of edges by conducting a more detailed analysis. 
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In the next section, we provide a tighter bound on the number of edges required to construct 
a graph of diameter logn for r„.„. We then consider constructions for Tm,m where m ^ n^ and 
briefly look at muhi-key constructions, before comparing our contributions with existing work. 

4.1 Constructions for T„„ 

We first determine the number of edges required by a 1-hop scheme. 

Proposition 11 There exists an enforcing set of edges E such that 

\E\ < ^n^{n + l)2(n + 2)^ = i(n + 2f |r„,„| 

and the diameter of (T„.„,£') is 1. 

Proof Every node in r„^„ is a rectangle and every point contained in each rectangle should be 
reachable in a single hop. The area of each node corresponds to the number of leaf nodes that 
are reachable from this node. Hence, the number of edges e{n) required to construct a graph of 
diameter 1 for T„_„ is X)r=i S?=i ^^ij^h where aij is the number of rectangles of area ij. Now the 
number of rectangles of area ij is the number of intervals of length i multiplied by the number of 
intervals of length j. Hence, we have 



n n / ^ \ 1 



^^n\n + l)\n + 2Y 



In fact, e(n) is an overestimate for the number of edges required because we have included n^ 
rectangles of area 1, which are leaf nodes. The result follows. ■ 

Theorem 12 There exists an enforcing set of edges E such that 

and the diameter of the graph {Tn_n,E) is hounded by [logn]. 

Proof Given n ~ 2m, for some integer m, we can divide the n x n grid into four ni x ni grids, 
which we label Tm.'m , Tm,m, Tm,m, and Tm^m ■ Then there are three types of rectangles in r„ „ 
(iUustrated in Figure [7]): 

1. those in which each vertex is in a different ?7i-grid; 

2. those in which one pair of vertices is contained in one ?n-grid and the other pair of vertices 
are in an adjacent TTi-grid; 

3. those in which each vertex is in the same m-grid. 
Then we construct an edge set in which: 

• each Type 1 rectangle is connected to four child rectangles, one in each ?7i-grid; and 

• each Type 2 rectangle is connected to two child rectangles, one in each m-grid that contains 
a pair of the rectangle's vertices. 

We then recursively construct an edge set for each copy of T^^m- Hence, the number of edges 
e{n) required by this construction is 4a + 26 + Ae{m), where a represents the number of Type 1 
rectangles and b represents the number of Type 2 rectangles. 

We now compute a and b. Note that we have m choices for each of the four endpoints of 
the intervals that define a Type 1 rectangle (since each vertex lies in a different m-grid). Hence, 
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(1,0) 






(1.1) 


















(0,0) 






(0,1) 




(a) Type 1 (b) Type 2 (c) Type 3 

Figure 7: Examples of rectangle types in a 2m x 2m grid 

a = m . To compute b, we first consider the number of rectangles in a pair of adjacent m-grids: 
we have m^ choices for the endpoints of the "long" side of a Type 2 rectangle (that spans two 
m-grids), and ^m{m+l) choices for the endpoints of the "short" side (where the endpoints belong 
to the same m-grid). Clearly, there are four different choices of adjacent 77i-grids, each containing 
the same number of Type 2 rectangles. Hence, b — 2m^{m + l). Therefore, we deduce the following 
recurrence relation for e(n). 

e(n) = Am"^ + 4m^(m + 1) + 4e(TO) 
^ Am^{2m + 1) + 4e(TO) 

- -«=*(« +l)+4e (I) 

Using this recurrence relation, we prove by induction that e(n) — ^n?{n — l)(2n + 5). 

Consider n — 2: it is easy to see by inspection that we require 4 + 8 = 12 edges, so the result 
holds for n = 2 (since, using the formula, e(2) = i • 4 • 1 • 9 = 12). Now assume that the result 
holds for all n< N . Then 



e(iV) = -A^^(iV + 1) + 4e I — j (by the recurrence relation) 

1 , AN'^ /'N \ 

= -N'\N + 1) + -— I ^ - 1 1 (^ + 5) (by the inductive hypothesis) 

= -N^ {3N^ + 3N + N^ + 3N- lO) 

= -N'^{N - l)(27V + 5) 

as required. Moreover, 

e(n) = ^n^n ~ l)(2n + 5) = ^n^i2n^ + 3n - 5) < ^n^{n + 1)' = ^ \Tn,n\ ■ 

It is evident that the construction terminates after no more than [logn] iterations and that the 
diameter of the resulting graph will be [log n] . ■ 

4.2 Constructions for Tm,km 

We now consider constructions for Tm,krm where m and k are integers. (These constructions can 
be extended to Tm^„, for any integers m ^ n, by writing n — km + r, where ^ r < m.) 

We consider an m x km grid to be k copies of an ttt, x to grid, which we may label 
Tm'm, ■ ■ ■ ,Tm^m ■ Then all four vertices of a rectangle in Tm,km may belong to the same m,- 
grid, or one pair of vertices belongs to one TO-grid and the other pair to another grid. In other 



17 



> m 



4m 



Figure 8: A ttt, x Am grid and the various types of rectangles that may arise in it 

words, the number of possible choices of Tn-grids for the vertices of a rectangle corresponds to the 
number of intervals in [1, fc]. This is illustrated schematically for a m x 4m grid in Figure |8l These 
observations suggest the following approach: 

• For each rectangle in Tm,km that is not included in one copy of Tm,m,, add edges to the 
appropriate rectangles in two or more copies of Tm,m] 

• Construct an enforcing set of edges for each copy of Tm,m- 

In Section [3] we identified a number of schemes for Tk and we have seen (in Theorem 1121) how 
to construct an enforcing set of edges E such that the diameter of Tm,m is log m. Putting this 
together, we obtain the following result. 

Theorem 13 There exist enforcing sets of edges Ei and E2 such that 



Ei\ = j^km'^{{k- l)(fc + 4)m(m + l) +4(m- l)(2m + 5)) and the diameter of {Tjn.km,Ei) 
log 2m; 
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is log 771+1 



• |i?2| — hkm^(3{k — l)m{m + 1) + 2(to — 1)(2to + 5)) and the diameter of {T^^ 1:^1^2) i 
log m + log k — log km. 



IS 



Proof For each rectangle that belongs to two or more ?7i-grids we have m^ choices for the vertices 
that belong to different m-grids and ■^m{m + 1) choices for those that belong to the same m-grid. 
Hence, in total we have ^m?{m + 1) possible choices for such rectangles. Hence, we can build a 
set of enforcing edges for the ra x km grid, whose cardinality is given by 



-m^{m + l)e(rfc) + fce(T„_™), 



(2) 



where e(Tfc) is the cardinality of some enforcing set of edges for Tk and e{Trn,,m) is the cardinality 
of some enforcing set of edges for T^.m- The number of hops required will be the number of hops 
for Tfe plus the number of hops required for Tm,m- 



<i,x) 



<i,y) 



Each rectangle in Tm,km has non-empty intersection with Trn,m , ■ ■ ■ ,Tm,m for some x and y. 

(1 z) 

To obtain Ei, we add an edge from each rectangle in Tm,km to a single rectangle in each of Tm'rn , 
z G [a;, y\. In other words, the number of edges required will be the number of edges required for 
a 1-hop scheme for T^ multiplied by the number of rectangles in each interval. Hence, using the 
1-hop construction in the proof of Theorem |4] and applying ([2]) , we have 

\Ei\ = — m,3(TO+l)/c(fc- l)(fc + 4) + -fcTO2(m-l)(2TO + 5) 

= —km^{{k - l)(fc + 4)m(m + 1) + 4(m - l)(2m + 5)) 

We require a single hop to get from any rectangle to a rectangle in a copy of Tm^m and we require 
logm, hops to get from any rectangle in Tm.m to a leaf node. Hence, the diameter of {Tm^km, Ei) 
is 1 + log m. 
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To obtain £^2, we construct an enforcing set of edges that enables us to get from each rectangle 
in Tm^km to a rectangle in a copy of Tm,m in log k hops. Using Construction [TJ we require k{k — 1) 
edges for each rectangle. Hence, 

I-B2I = -m^{m + l)k{k - 1) + -km^{ni - l)(2m + 5) 
= -km^{^d{k- l)m(m+ 1) + 2(m - l)(2m + 5)) 

In this case, the number of hops required in total is log/c + log to. ■ 

Corollary 14 For fc ^ 1, there exists an enforcing set 0/ edges E such that 

\E\ < 2 \Tm,km\ ( 1 + ^ ) ^ o \'^m,km\ 

and the diameter of (Tm.km, E) is \ogkm. 

Proof The result for fc = 1 follows from Theorem \T2\ For fc > 1, we have (from the proof of 
Theorem [HD 

E2 = -km'^(3(k-l)m(m+l) + 2(m- l)(2m + 5)) 
6 

= —km {3km + 3km — 3m ^ 3m + Am + 6777- — 10) 
6 

= —km (3km(m + 1) + m + 3m — 10) 
6 

< -km^(3km(m + 1) + (m + l)(m + 2)) 
6 

= —km {3km + m + 2){m + 1) 
6 

= —m{m + l)km{3km + 3 + 771 — 1) 

= —m{m + l)km{k7n + 1) H — 777(777, + l)km{m — 1) 

and, since iTm^/cml = 7777(777 + l)km{km + 1), we have 

E2 = 2 \Tm,km\ + -r ( T ~~r ] \Tm,km\ < ^ \Trn,km\ ( ^ + ^ 

as required. Clearly 1 + ■:tt: monotonically decreases as k increases, so |i?2| is a maximum when 
A: = l. Hence IS2I <f|T„^fc„,|. ■ 

4.3 Multi-key constructions 

In Section 13. 2[ we showed how we could reduce the number of edges in an enforcing set if we 
assumed that a user may be given two keys. Essentially, this assumption allows us to reduce the 
number of nodes in the key derivation graph for r„ from approximately ^77^ to 77 log 77. We now 
develop an analogous approach for r„,„. 

First, we explain how the set of special rectangles is defined. We divide r„_„ into four copies 
of T,n,m, where m — n/2. Then the following rectangles are defined to be special nodes: 

• [x, 777] X [y, z], where x,y,z £ [1, 777 — 1]; 

• [x, y] X [2,7)7], where x,y,z £ [\,m — 1]; 
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• [m + 1, x] X [y, z], where a; G [m + 2, 2m\, y, z (£ [l,m — 1]; 

• [a;, y] x [z, ttt,], where x,y G [m + 2, 2m], z G [1, tti — 1]; 

• [x, m] X [y, z], where x G [1, ?7i — 1], y, z £ [in + 2, 2m]; 

• [x, y] X [tti + 1, z], where x,y £ [l.m ~ 1], z G [ni + 2, 2m]] 

• [ttj + 1, x] X [y, z], where x G [m + 2, 27tt,], y, z £ [m + 2, 2m]; 

• [x, y] X [ttt, + 1, z], where x, y G [tti + 2, 27n], z G [m + 2, 2to]. 

In other words, special nodes in T„, where n = 2to > 2, are non-leaf rectangles in which at least 
one endpoint is m, or m + 1. Having identified the special nodes in T„^„, we then recursively 
identify the special nodes in each copy of T^.m- Figure IH] illustrates how a Type I rectangle can 
be split into four special rectangles. 



Figure 9: Representing a Type 1 rectangle in T2m,2m as the union of four special rectangles 



Theorem 15 Let n — 2m, for some integer m. Then there exists an enforcing set of edges E for 
Tn^n such that \E\ ^ 4ri^(n — 1), the graph (r„.„,_E) comprises four disconnected components, and 
the diameter o/(r„.„,_E) is [lognj. 

Proof We first count the number of special rectangles. Without loss of generality, we consider 
the copy of Tm,m in which all special rectangles contain an interval of the form [x, m] for some 
X G [1,TO — 1] (corresponding to the bottom left quadrant in Figure [9]) O Then the number of 
special nodes is the total number of rectangles in Tm,m niinus the number of rectangles that are 
not special nodes. Since a non-special rectangle cannot contain an interval in which the upper 
endpoint is equal to m, the number of non-special rectangles is j{m — lYvn?. Hence, the number 
of special rectangles is given by 

—m (m + 1) m (m — 1) = m . 

4 ^ 4 

By symmetry, T„^„ contains 4m^ = ^n^ special rectangles in which at least one endpoint is m or 
m + 1. 

The recursive construction implies that s{n), the total number of rectangles that will be marked 
as special, satisfies the recurrence s{n) ^ n^/2 + 4s(n/2), from which we deduce that s{n) ^ 
n^(n — 1). Since each special rectangle has out-degree no greater than 4, we conclude that there 
exists an enforcing set of edges of cardinality no greater than 4n^(n — 1). ■ 



^By symmetry, each copy of Tm,,m contains the same number of special rectangles. 
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4.4 Related work 



[Atallah, Blanton, and Frikken (2007a, §4) propose a scheme for geo-spatial access control in which 
each user has a single key, the number of key derivation steps is O (1) and the number of edges is 
O (n''(log n^)^ log* nj . They then propose more complex schemes in which the user has O (1) keys. 
These schemes require complex, auxiliary data structures and key derivation algorithms. The num- 
ber of edges required by their best scheme for T^^j where to ^ n, is O ('mn{\oglogm)^ log* to,). 

It is difficult to compare the performance of our schemes with those of Atallah et al. because 
most of their schemes use O (1) keys. The only scheme that uses a single key has constant time 
key derivation (requiring no more than 9 hops) and requires O (^m^ri^ (log mn)^ log* mn) edges. 
The scheme is rather complicated and involves reducing the 4-dimensional poset {Tm.n, ^) to a set 
of 1-dimensional posets (that is, chains) and then constructing edge sets for each of these chains 
and edge sets to connect the chains. 



Recently, Yuan and Atallah (2009) used O (mn) copies of a scheme for a chain to create a 
scheme in which the user requires O (1) keys and O (mn log* m) edges, and the number of derivation 
steps is O (1). However, the paper is rather vague on the details of the scheme and how it compares 



to the closely related work of Atallah, Blanton, and Frikken (2007a) described in the preceding 



paragraphs, so it is difficult to provide a direct comparison with our work. 

By Corollarv ll41 the number of edges required by our scheme is less than ^mn(m + l)(n + 1) 
and key derivation takes no more than \ogmn steps. Moreover, our construction is analogous 
to our binary decomposition for temporal access control: we will see in the next section that 
our construction generalizes readily to higher dimensions; in contrast, the extension of existing 
schemes to higher dimensions is non-trivial. 

5 Interval-Based Access Control 

In this section, we generalize temporal and geo-spatial access control to interval-based access 
control. Consider 

T^ ""^^ Tn X ■ ■ ■ X Tr, . 
k times 

We call an element [2:1, yi] x ••• x [xk,yk] G T^ a (fc-dimensional) hyperrectangle and write it 
rii^ii^i '?/*]■ ^ 1-dimensional hyperrectangle is an interval (as in Section |31) and a 2-dimensional 
hyperrectangle is simply a rectangle (as in Section 2]). In interval-based access control, protected 
objects are associated with a "trivial" hyperrectangle 0^=1 [^Ji^j] (which is simply a point in k- 
dimensional space) and users are associated with a hyperrectangle Jli^ii-^'iiyi]- ^ user associated 
with hyperrectangle Jli=i [^*; Vil i^ authorized for an object associated with Y[i=i [-^ii ^i\ if ^^'^ only 
if Zi e [x.i,yt] for ah i. 

Theorem 16 There exists a set of enforcing edges E for T^ such that 

l^l^n^^/fc^(3^-l)(n»-l) 



2k A^\i 2^-1 

1=1 



and the diameter of {T^,E) is logn. 



Note that substituting fc = 1 and k = 2 into the above formula, we obtain \E\ = n{n — 1) and 
\E\ = ^n^{n — l)(2n -I- 5), confirming the results of Sections [3] and S] Before proving the above 
theorem, we state a useful result, which can be proved by induction. 

Proposition 17 Let fc ^ 1, i ^ and oq, . . . , a* be integers and let n — 2™ for some non-zero 
positive integer m. If 

fe, * 



/(")-'/(?) ^(f)i:«.(f)' 



i=0 
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for all n, and /(I) = 0, then 



/N = (I) (aologn + ^ 



Ui 



Proof of Theorem ll6l Let n = 2m. Then we may split T^ into 2*^ copies of T^. A hyperrectangle 
has non-empty intersection with one or more of the 2*^ copies of T^. Our proof proceeds by 
counting the number of copies of T^ with which a hyperrectangle intersects and how that, in turn, 
determines the number of edges required for that hyperrectangle. 

We first recall the methods of Sections |3] and S) For fc = 1 (Section [3]) we split r„ into two 
copies of Tm and every interval in r„ has non-empty intersection with either one or two copies of 
Tm- For fc = 1, the two copies of T^ may be identified with the 1-bit string and 1. The endpoints 
of [x,y] € T„ are simply x and y. Then either both endpoints (that is, x and y) belong to the 
same copy of T„j or they are in different copies. In the first case, there are ^m{m + 1) choices 
for the endpoints, since we require that x ^ y; in the second case, there are m^ choices, since we 
choose any value from the copy of T™ corresponding to for the lower endpoint and any value 
from the copy of T,„ corresponding to 1 for the upper endpoint. And when fc = 2 (Section 14]), T^ 
may be split into four copies of T^ labeled (0, 0), (0, 1), (1,0) and (1, 1). An element of T^ is a 
rectangle, which "straddles" one, two or four copies of Tm depending on which of the four copies 
of Tm contain the lower left and upper right corners of the rectangle (as we saw in the proof of 
Theorem [T^ . 

More generally, each copy of Tm in T^ can be identified with a fc-bit string. Then each element 
of T,j has two fc-dimensional endpoints, which uniquely identify the two copies of T,„ to which those 
endpoints belong. More generally, each hyperrectangle in T^ is enclosed by some hyperrectangle 
comprising 2** copies of r,„ for some integer d ^ fc, where d is determined by the endpoints. We 
wish to determine d for a given element of r,j . 

We denote the "left" or "lower" endpoint of an element of T^ hy I ^ {h, . . . , h) € {0, l}*"' and 
the "right" or "upper" endpoint by r = (n, . . . , r^) e {0,1} . Then we have k ^ n, for all i. 
Now the Hamming distance of I and r determines the "volume" of the enclosing hyperrectangle, 
measured as multiples of T^. Specifically, if the Hamming distance between the two endpoint 
strings is d (that is, h = and r^ = 1 for d values of i) then the enclosing hyperrectangle contains 
2"^ copies of Tm- 

The number of pairs of strings with Hamming distance d is determined by the choice of co- 
ordinates at which li ^ ri and the values chosen for the remaining positions. Clearly there are 
(^) choices of d co-ordinate positions and, having fixed those positions, there are 2*^^'* choices for 
the values of the remaining k — d positions. Hence, the number of different endpoints that are 
enclosed in a hyperrectangle of 2'^ copies of 2™ is 2^~'^(^^. 

Now an arbitrary element in Hj^j^ [xi, yi] G T^ for which the Hamming distance of the endpoints 
is d "straddles" 2"^ copies of Tm, and is the union of 2^* elements of T^. (When fc = 1, for example, 
every interval in r„ is the union of 1 or 2 intervals contained in Tm and Tm .) Therefore, 2'^ 
edges will be required to connect ni=i[^i'?/«] to the appropriate child hyperrectangles that are 
contained in copies of Tm ■ 

For an arbitrary element ni=iNiiy«] ^ T^n with endpoints Z,r € {0, 1} , the value of U © ri 
determines how many choices there are for Xi and j/^. Specifically, if U = ri, then Xi and yi belong 
to the same ?7i-cube and there are ■^''^{tt^ + 1) choices for the pair {xi,yi) since we must ensure 
that yi ^ Xi- However, if l^ < ri, then Xi and j/j belong to different m-cubes and there are ni^ 
choices for (xj, yi), since yi is necessarily greater than Xi and therefore we have a free choice of Xi 
and yi from m values. Therefore, if the Hamming distance of I and r is d, then the total number 
of choices for ni^ii-^i'yj] i^ 

{m^ Qm(m + 1)) = ^m^+^im + 1)'-'^ 
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We conclude that the set of edges required to connect all hyperrectangles with Hamming distance 
d to the appropriate child hyperrectangles has cardinality a{d)b{d)c{d), where 

• a{d) — 2"^ is the number of children of a hyperrectangle with Hamming distance d, 

• b(d) = 2'^~''(^) is the number of possible choices of enclosing hyperrectangles for a hyper- 
rectangle with Hamming distance d, and 



c{d) = i^^m'^^''' {m + 1)*^ ''is the number of choices of endpoints for each of the k intervals 
comprising a hyperrectangle with Hamming distance d. 



Clearly, the Hamming distance d takes values between and fc, so the total number of edges 
required, denoted e{n,k), satisfies the recurrence relation: 



3(n, k) = 2'=e(m, fc) + ^ 2'^2'=-'^ Q ^m'^+'*(m + 1)* 



2'=e(TO, k) + m'' Y, (yi {2mf{m + 1)'=-'' 



and, applying the binomial theorem, we obtain 

e{n, k) = 2^e{m, k) + m''{2m + m + I)'' = 2''e(m, k) + m''{3m + 1)''. 

Now, this total includes an edge for each hyperrectangle that is contained in a single rn-cube (when 
the Hamming distance is 0). For a recursive construction, we can omit these edges (of which there 
are 2''^m'^{m + 1)'^ = m!'{m + 1)'^). Hence, subtracting the edges for hyperrectangles with 
Hamming distance 0, we obtain 

e(n, k) = 2''e{m, k) + m^{'im + 1)'' -■m^{m + I)'' 

= 2'=e(m, k) + m'^ [ ^ ('') (3m)^ - ^ (''] mM 

= 2'=e(m, fc) + m'= ^ (''^ (3' - l)m\ 

i=l ^*^ 

Replacing m by n/2, we obtain 

e(n,fc) = 2'=eQ,fc)+^('^)(3^-l) 
Moreover, e(l,fc) — for all k. Hence, we may apply Proposition 1171 thereby obtaining 



^k\ ,_,- , /n\*+'= 



as required. 

Clearly the number of derivation steps d{n) obeys the recurrence relation d[n) = 1 + d{n/2), 
from which it immediately follows that d{n) — log n. ■ 

Corollary 18 There exists a set of enforcing edges E such that 

2'=(2fe-l) '^ '^' "^ 2fc(2fe - 1) 

and the diameter of {T^,E) is logn. 
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Proof The term in the left-hand side of the inequahty is simply the last term in the summation 
in ([3]). Now note that 

3* - 1 3'+i - 1 



1 ^ 2'+i - 1 



for alH ^ 1. Hence, we have 



,k ^ 



n* ^ /fc\ (3^- l)(n'-l) 7i*(3'=-l) ^ /fc 



<-^k) -^^^{,} 27^1 <^2FW^)^\^^ ' '^ 

< 2^(2^-1) A. l^i J" < 2^(2fe-l)^^^ ' 
as required. 
Remark 19 Since IT^I = ^n'^(n + 1)'^, the above result implies that |_E| is 8 ( (|) IT, 



To conclude this section, we state and prove a result that provides an upper bound on the 
number of edges required in an enforcing set when we assume that a user may have up to 2^ 
keys. We do not describe the recursive procedure that is used to label special nodes, as it is a 
straightforward generalization of the techniques described in Sections 13.21 and [ 



Theorem 20 There exists a set of enforcing edges E such that 

\E\ s^ 2/cn'=(n''"i+logn-l), 

the graph of {T^^^E) comprises 2^ disconnected components and the diameter of the graph is logn. 

Proof Let n = 2m for some integer m. Then we can divide the hypercube T^ into 2*^ copies of 
the hypercube T^. As before, without loss of generality, we consider the hypercube T^ in which 
all intervals are of the form [xi, yi] with [xi, yi] G [1, m]. The special hyperrectangles in this copy 
of T^ have the form Y[i=i [^jj Vil^ where Xi = m or yi — m for some i. Since we can choose any one 
of k intervals in which to fix an endpoint, the total number of special rectangles in a particular 
copy of T^ is no greater than 

/I \'''"^ 1 

fcm I -m(m + 1) j = -^^fcm''(TO + 1)'""^ 

There are 2^ copies of T^, hence the total number of special rectangles of the form Ili^il^j' Vi]^ 



where Xi = m+l or yi — m for some i, is 2km^{m-\-l)^^^ (compare the case A; = 2 in Section[ 
Hence, s{n), the total number of special rectangles will satisfy the following recursively defined 
inequality: 

s{n) ^ 2km^{Tn + l)'^-^ + 2^s{m). 
Re- writing, we have 

and applying the binomial theorem, we obtain 



fc-i 
l' 



,W-2'.g),2.g) 



^ v^ fk — 1\ fn 



^^\ i \2 

2 = 



24 



finally, applying Proposition [T71 we have 



s{n)^2k[^y ilogn 



k-l 



fc-1 



-^ V i / 2* - 1 

i—l 



n' — 1 
Now the maximum out-degree of any special hyperrectangle is 2^, so e{n) ^ 2''s{n); and —. ^ 

n*+^ — 1 

for all n ^ 2 and all i ^ 1. Hence, we have 



2»+i _ 1 

e(n)<2fcnMlogn + ^^3^— y^( ^ j j = 2fcn'= (logn + n^-i - l) , 

as required. I 

There is little related work on interval-based access control for arbitrary dimensions. 



Yuan and Atallah (2009) whose work was briefly described in SectionlH stated that their methods 



for geo-spatial access control could be generalized to higher dimensions, without providing any 



details. Srivatsa, Iyengar, Yin, and Liu (2008) generalized the notion of binary encryption trees 
to geo-spatial access control and higher dimensions. The number of keys and the number of key 
derivation steps required are O (2^^+^ log n) where k is the number of dimensions. The schemes 
we describe in this paper are the first in which each user has a single key. 

6 Concluding Remarks 

In this paper we consider the enforcement of an interval-based access control pol- 
icy, which generalizes the temporal and geo-spatial access control policies in the 
hterature ( [Atallah, Blanton, and Frikken 2007a[ [Atallah, Blanton, and Frikken 2007b[ 



[De Santis, Ferrara, and Masucci 2008 ). Such policies can be enforced using cryptographic 



methods, often called key assignment schemes. There are several efficient key assignment 
schemes in the literature, in the sense that the amount of storage and the time taken to derive 
cryptographic keys is considerably less than that required if standard enforcement schemes are 
applied directly. These efficient schemes exist because of the particular structure of the graph 
that is used to represent interval-based access control policies. Existing work has used generic 
techniques for reducing the diameter of the graph, without considering the particular relationship 
between the access control policy and the desired graph. 

In this paper we have developed a number of efficient enforcement schemes that have consid- 
erable advantages over existing ones. We focus on the development of novel techniques to provide 
efficient schemes designed specifically for interval-based access control policies, rather than using 
more generic techniques. Our approach enables us to produce, in almost all cases, exact values 
for the number of edges and the number of steps required to derive a key, in contrast to existing 
work in the literature (as shown by Figure |6|). Moreover, we demonstrate that our constructions 
can be generalized to higher dimensions, yielding new insights into the efficient cryptographic 
enforcement of interval-based access control policies. 

One disadvantage of our work in Section [S] is that we assumed that each dimension contained 
intervals in T„ for some fixed n. In practical applications, this may not be a reasonable assumption, 
and it may be prohibitively expensive to "pad" each dimension and work with Tj^, where N = 
max{ni, . . . ,nk} and rii is the number of points in the ith dimension. One important aspect of 
our future work, therefore, will be to try to extend our results in Section [5| for T^ to the more 
general case T„j x • • • x r„^ . 

Perhaps the most interesting area for future work is to consider more expressive access con- 
trol policies and their enforcement using cryptographic techniques. At the moment, we consider 
intervals defined over a totally ordered set of attributes A. We also intend to consider policies 
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where A is some partially ordered set and users and objects are associated with subsets of A. Of 
particular interest is the case where A is a powerset defined over some set of attributes, since the 
resulting policies would be analogous to those used in ciphertext-policy attribute-based encryp- 



in this area (Crampton 2010) 



tion (Bethencourt, Sahai, and Waters 2007). We have recently published some preliminary results 
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A Extending our constructions 

We now consider what modifications are required to our work to enable the derivation of keys for 
all nodes in T,„ (rather than just leaf nodes). We do this to demonstrate that we can extend our 
constructions to the cases that are considered by previous researchers. 

We first consider the following problem. Given a diamond-shaped grid Dm (illustrated in 
Figure fTO|). how can we reduce the diameter of the graph by adding a small number of edges? 
Clearly, the number of edges in the grid is {m — 1)^ and the diameter of the graph is 2m — 2 for 
the set of edges shown in Figure [TUT a) . Consider the following construction. 

Construction 3 

1. Divide D2m into four copies of Dm- 

2. Label these copies Dm , Dm , Dm and Dm (bottom to top and left to right, as illus- 
trated in Fiaure \TW ■ 

3. For each node in [x, y\ £ Dm we define a set of nodes Cx,y, such that 

C,,y n i?(;'^') I = 1 and \Cx,y\=4. 
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Specifically, for all i and j , the largest node in Dm that is less than or equal to [x, y] belongs 

4- For each node [x,y] £ Dm we connect the four nodes in Cx,y together using 4 edges. In 
doing this, we can get from any node in Cx,y to another element of Cx,y in a different copy 
of Dm in no more than two hops. 

5. We now apply this construction recursively to each copy of Dm • 

An enforcing edge set for D% of diameter 3 is shown in Figure [TOlb). The dashed lines represent 
the edges connecting copies of D2; each copy of D2 is labeled in the manner described above. 





(a) The basic edge set (b) An enforcing edge set of diameter 3 

Figure 10: D^ 

From this construction we deduce the recurrence relation 
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where Ejj represents the number of edges required for Dm- And from this recurrence relation we 
can prove by induction that Eu{m) = m^ log 777. Let 1^(777) be the diameter of the graph (Dm, E), 
where E is the edge set obtained from the above construction. Then we have d{m) — 2 + d{m/A), 
from which we may deduce that ^(777) — log m. 

We can now construct an enforcing set of edges for T^. Consider the following construction. 

Construction 4 

1. Divide T2m into two copies ofTm, labeled Tm and Tm and a diamond Dm- 

2. For each node [x, y\ £ Dm define Cx.y to be the following set of nodes: 

• [x,y]: 

• the largest element in Tm that is less than [x,y]; and 

• the largest element in Tm that is less than [x,y]. 

3. For each node [x,y\ G Dm add two edges to connect it to the other two nodes in Cx,y. Hence, 
it is now possible to get from any node in Dm to a node in each copy of Tm in one hop. 

4. Apply this construction recursively to Tm and Tm . 
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5. Construct a set of edges for each of Dm , Dm , Dm and Dm ■ 

From this construction we deduce the recurrence relation 

„ / N m'^ ^ /"m\ „ /rn\ 

Erim) = 2— + Ed (y) + 2Et [-) 

= -m^ + -r7i^(logm- 1) + 2Et ( — 

1 / JTl \ 

= -m\\ogm+l) + 2ET[-), 

where Exirn) denotes the number of edges required for Tm- 

Proposition 21 For all n ^ 2, Erin) — ^n'^logn. 

Proof By inspection, we have Et{2) = 2, so the result holds for n = 2. Now assume that the 
result holds for all n < A^. Then 

Et{N) = jN^{\ogN + 1) + 2Et ( y 

1 / N'^ \ 

= -7V^(log TV + 1) + 2 ^-(log N -1)\ by inductive hypothesis 

= -iV^logiV 

2 ^ 

as required. ■ 

B Multi-key constructions for temporal access control 

B.l The case A; = 3 

Suppose that m — ah. Then we can treat Tm as a triangle Tf, in which the leaf supernodes 
are copies of Ta and the non-leaf supernodes are copies of Da- Now any interval [x,y\ can be 
represented as the union of no more than three intervals [a;, zi], [zi + 1,^2], [z2 + 1, y], where zi 
and Z2 are multiples of a. Then [zi + 1, Z2] has the form [z'^a + 1, Z2a\, for some integers z'^ and 
^2, and can be represented as the interval [z[,z'2] in T^. Figure [Til illustrates T36 split into copies 
of Tg and Dg- The interval [3, 25], for example, can be represented as [3, 6] U [7, 24] U [24, 25], and 
[7, 24] can be treated as the interval [1, 3] in a copy of T4 comprising interior copies of Dq. 

Hence, we only require key derivation edges between the "interior" maximal nodes in each 
diamond supernode and the nodes in each triangle supernode. An exterior maximal node is of 
the form [l,2;Ja] or [^20 + l,m\: [l,z[a] is the union of the intervals [l,a] and [a + l,z[a\; and 
[zjfl + 1, m] is the union of the intervals [2:2a + 1, (5 — l)a] and [{b — l)a + 1, m]. In other words, 
all intervals corresponding to maximal nodes in an exterior diamond supernode can be treated 
as the union of a leaf supernode and an interior diamond supernode. Clearly we can apply this 
construction recursively, yielding the following construction. 

Construction 5 Let m — ai . . .ak- 

1. Treat Tm as a tree Ta-^ comprising supernodes Tm/ai and Dm/ai- 

2. Mark every node in the upper edges of each copy of Tm/ai as a special node (as in Construc- 
tion\^. 

More formally, denote the ith leaf supernode by T , , 1 ^ i ^ ai . Then 



T 



(*) 



/ai = {[^ + (« ~ l)"T-/ai7 y + (i - l)n^/ai] : 1 ^ a: ^ y < m/ai} , 
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and we define the set of special nodes to be 



ai — 1 



M {[x, {i — l)m/ai, im/ai] : 1 ^ x ^ m/ai} U I J {[im/ai + l.y] : 1 ^ y ^ rn/ai} 

i=l i=l 

3. Mark the maximal node in each interior copy of -Dm/oi O'S a special node. This set of nodes 
has the form {[im/ai + l,jm/ai\ : 1 < i ^ j < ai} and hence these nodes are in one-to-one 
correspondence 'withTa^_2 (under the mapping [im/ai + l, jTn/ai] !—>■ [i — l,j — 1]J. Construct 
a set of key derivation edges for this set of nodes by applying binary decomposition to Ta^-2- 

4- Ifm/ai ^ 2, repeat for all leaf supernodes Tj^/ai- 

Finally, define every key allocation edge that connects two special nodes to be a key derivation 
edge. 

The application of this construction to Tag is iUustrated in Figure [11] The faint dashed hnes 
iUustrate the recursive partitioning of Tag and copies of Tg into supernodes. 
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Figure 11: The key derivation graph generated by applying Construction [5] to Tag 

Now Step 1 adds no more than 2m special nodetO and Step 2 adds i(ai — l)(ai — 2) special 
nodes. Hence, the number of special nodes satisfies the inequality 

1 / m 
s[m) ^ 2m H — (ai — l)(ai ~ 2) + ais — 

2 \ai 

Now for ai ^ ^/ro and a^+i ^ ^y7li we have s{m) ^ |r7i + ais{m/ai) and we can easily prove 
by induction that s{m) ^ |m log log to. By construction, the out-degree of each node in the key 
derivation graph is 2, so e(m) ^ 577iloglog?7i. 

Moreover, the number of hops d{m) satisfies the inequality 



d{m) ^ [log( Vrn- 2)] + d{y/m.) < - logm + 1 + d{^/m). 
Hence, we may conclude that d(m) ^ logm + [loglog?7i] . 

®In fact, Step 1 adds precisely m/a-i + (ai — 2)(2m/ai ~ 1) + m/ai special nodes. 
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B.2 The case k ^ 4 

For fc = 3, wc ensure that we can derive keys for the maximal nodes in each diamond supernode 
using a single key. When fc ^ 4, we simply require that we can derive keys for the maximal nodes 
using fc — 2 keys. 

Let s{m, k) denote the number of special nodes required to construct a scheme with k keys for 
Tm- Then we have 

s(to, k) ^ 2m + s{ai — 2, fc — 2) + ais(?Ti/ai, k) 

Consider k ~ 4: let oi — m/logm and a^+i = a^/logai, and recall that the number of special 
nodes required by a 2-key scheme for Tm is no greater than m log m. Then we have 

Tfl ( Tfl \ Tfl 

s{m, 4) < 2m + log + s(log m, 4) 

log m \ log m J log m 

Tn 

< Zm + s(log?7i, 4). 

log™ 

From this inequality, we prove by induction that s{m, 4) ^ 3m log* m. Clearly the result holds for 
m = A. Suppose, then, that s{m, 4) ^ 3m log* m for all m < N. 

.(iV,4)<2A. + ,s(^,2)+^.(logiV,4) 

N / N \ N 
SC 2iV+ -— log -— - + -— 31ogiVlog*(logiV) 
logiV \logNJ logiVv ^ ' 

by inductive hypothesis 

<37V + 3iVlog(log*7V) 
= 37V(1 + log(log* N)) 
= 3N log* N 

Hence, we require no more than 6?nlog*m edges to construct a 4-key scheme for Tm- We also 
have 

d{m) ^ [log(m,/logm)] + d{logm) ^ log?7i — loglogm + 1 + (i(log?Ti), 

and there are at most [log* m\ recursive steps, so (applying a similar argument to the one used 
for fc = 3) we have d{m) ^ logm, -I- [log* m-] . We summarize the results of this section in the 
following theorem, which is stated without proof. 

Theorem 22 There exist enforcing sets of edges Ei, E2 and Et, such that 

• l-Eil = 277ilog?7i, the graph (Trm Ei) comprises two disconnected components, and the diam- 
eter of {Tm,Ei) is [logmj; 

• |i?2| = 5m,loglog77i, the graph {Tm, E2) comprises three disconnected components, and the 
diameter of (Tm , E2) is log m + [log log m\ ; 

• \Ej,\ — 6m log* m, the graph (TmjE^) comprises four disconnected components, and the 
diameter of (T^, Ei) is log m + [log* m\ ; 



31 



